Being CISO Is No Longer a Dead-End Job

A decade ago, being named as CISO was considered the highest rung achievable from within the security function. This is changing, driven by increasing cyber awareness in the boardroom, the embedding of cyber risk in every part of the business through digitization and industry 4.0, and increasingly intrusive cyber regulations. With the latter, for example, a March 2017 regulation from the New York State Department of Financial Services now specifically requires organizations to employ a CISO function reporting to the Board.

While boardrooms have become more aware of cybersecurity, CISOs have equally become more aware of business requirements and processes. The combined effect is that the role of CISO has been elevated -- to such an extent that 76% of CISOs now believe that managing cyber risk is becoming so important that we will see companies naming CISOs as CEOs in the future. This greater understanding of cybersecurity threats and realities within organizations is even challenging the old role of the CISO a scapegoat for when things go wrong. Fifty-eight percent of CISOs now believe that going through and experiencing a data breach makes that CISO more attractive to future employers.

The figures come from a survey (PDF) of CISOs conducted by Aptiv. Aptiv questioned 100 heads of security in the U.S. and another 100 in the UK. Almost three-quarters were CISOs or CSOs. Thirty-eight were heads of IT, and 19 were embedded within the IT function. All, however, led the security function within their organization.

The results demonstrate an increasing business awareness of the need for cybersecurity. Ninety-six percent of the respondents either slightly or strongly agree that business executives have a better understanding of cybersecurity than they did five years ago. But it's a two-way street, because a similar number say they are taking a more strategic approach to cybersecurity and focusing on business risk rather than chasing individual threats and technologies.

Perhaps because of this heightened understanding between business and security, 86% of the respondents say they are receiving more funding for their programs than they did five years ago; while 67% believe their organizations now prioritize cybersecurity above all other business considerations. Around 25% of business leadership considers cybersecurity important, but that it shouldn't get in the way of staff doing their jobs; and only 8% still prioritizes productivity and flexibility over cybersecurity.

Possibly the biggest difference between U.S. and UK CISOs is in their perception of threats. Criminal organizations are considered the biggest threat in the UK (31%) while employees and insiders are seen as the biggest threat in the U.S (33%). Twenty-six percent of U.S. CISOs consider third parties to be the primary threat, while only 15% of UK CISOs agree. The perceived threat from hacktivists remains surprisingly high, at 28% in the UK and 20% in the U.S. Nation-state threats are, however, deemed surprisingly low -- at just 1% in the U.S. and not cited at all in the UK.

Interestingly, the CISOs show a strong preference for the need for a strategic approach to security. Offered a hypothetical six-month sabbatical from any other concerns, their first priority (at 56%) would be the creation of a stronger security culture throughout the business with staff education. Second (at 53%) would be to simplify the security infrastructure by rationalizing the number and types of security tools. Third (at 52%) would be to realign development and security into a DevSecOps model (although this is a higher priority in the U.S. at 57% than in the UK at 47%).

More tactical uses of the sabbatical come much lower. The development of zero-trust programs is preferred by just 40%, while using the time to catch up on basic functions like patching and vulnerability scanning is chosen by just 32%.

Attitudes towards regulatory compliance also seem to be changing. A few years ago, many CISOs considered compliance to be a diversion from the primary function of security. Today, compliance simply seems to be considered another function of cybersecurity that must be done. However, there is strong preference for a single overarching regulatory regime (such as GDPR in the EU) rather than a hodge podge of multiple more targeted regulations (as currently occurs with multiple different state-level regulations in the U.S.).

Fifty-seven percent of CISOs believe that a single regulation would mean fewer individual regulations to track. Only 24% believe this would be too expensive and complicated to implement, while another 19% say they are at or so close to GDPR compliance that it would make little difference. The preference for a single regulation will appeal to the big tech companies currently arguing for a federal data protection regulation, although their own motivation is almost certainly the expectation that a federal law will be less stringent than either the California Consumer Protection Act (CCPA) or GDPR.

Potentially surprising is the high level of support for the idea of a global cyber Geneva Convention with an internationally agreed set of principles governing behavior on the internet. Eighty-eight percent of the respondents believe that such a convention would set guardrails for acceptable behavior and decrease malign behavior. Only 12% of CISOs believe that even if countries agreed to such a convention, they would ignore it in practice.

Microsoft has long been an advocate of such a convention, proposing it first in a paper on international norms developed under Scott Charney, and more specifically later in a proposal for a cyber Geneva Convention put forward by Brad Smith. Neither of these proposals have met with much sympathy from governments, with governments' reluctance to abandon their own stockpile of zero-day vulnerabilities and exploits a likely reason. All three of U.S NSA, the UK's GCHQ and Australia's Signals Directorate (ASD) have published equities explanations which state that if a vulnerability is valuable to serve national security, it will be stockpiled.

The primary takeaway from this report is that CISOs are no longer the poor relations in the C-suite. They are increasingly being integrated into the business functions of the organization, are no longer the automatic scapegoat for breaches, and now have a route to the top corporate position -- the CEO.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.